What is the best way to protect your network? ;)

RichardJansma
RichardJansma Member Posts: 21
10 Comments 5 Likes Founder Name Dropper
✭✭✭
edited August 10, 2019 in Devices & Security #1

I believe there are many people here that protects internet networks and using various products...



my Home network is setup by


  1. ISP DSL (From so home Cable) ISP Modem
  2. Syfer
  3. Ubiquiti UniFi Security Gateway USG Pro
  4. Ubiquitin UniFi Switch (48 Port 500w Poe+)
  5. Ubiquiti Unifi AP Pro

and then all onther devices. Including Synology nas and more.


also to connect we use MAC adresses


is this good and maybe any tips and tricks ;)



And what do you guys have?


Yours Sincerely,




Richard Jansma

Hypnotist, Master Magnetist, Dataist & Believer of future technology!

Yours Sincerely,



Richard Jansma

Hypnotist, Master Magnetist, Dataist & believer of future technology!

VioletChepilpwmeek

Comments

  • VioletChepil
    VioletChepil London, UKMember Posts: 2,471
    100 Answers 500 Likes 1000 Comments 250 Awesomes
    ✭✭✭✭✭✭
    @Joe @KayJay @John @TheCustomCave - anything to add on protecting your network! 

    Community Manager at Fing

  • KayJay
    KayJay Member, Beta Tester Posts: 38
    Second Anniversary 25 Likes 10 Comments 5 Awesomes
    ✭✭✭
    Wow!  To me, it seems like you are pretty much covered...way more than what I have in my network.  Currently, I only have the following:
    • ISP-provided modem/router
    • Fingbox
    • All other devices
    You've got me looking into that Syfer product now :smile:
    VioletChepil
  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    edited August 13, 2019 #4
    For the devices themselves, you have a great setup.  Using Sypher and not solely relying on the capabilities of a DSL modem is very smart.
    The only suggestion that I can provide is to disable UPnP in Sypher, and be careful of how many open ports you configure for data traffic.  MAC addresses can be spoofed, so be wary of relying a lot on that.  Cycle through passwords on a rotation, change it every x weeks or months.  Use a password generated password to ensure a secure environment.  Never use human-readable words for your passwords, using a password generator and distributing that selectively is a great way to manage it.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
    VioletChepil
  • Lee_Bo
    Lee_Bo Member Posts: 272
    100 Comments 100 Likes Second Anniversary 5 Answers
    ✭✭✭✭
    Cable modem from ISP, Ubiquity hardware, Fingbox.  Fingbox set up to automatically block new devices.  My setup is probably overkill for a home network but I'd rather spend a few extra dollars and be safe.
    VioletChepil
  • Joe
    Joe Member, Beta Tester Posts: 54
    Second Anniversary 25 Likes 10 Comments First Answer
    ✭✭✭
    If you have any VoIP services, make sure you enable any firewalls to block port 5060 from anything other than your known VoIP provider. I spotted some git from Russia trying to hack my Asterisk PBX.
    VioletChepilkltaylor
  • Pooh
    Pooh Member, Beta Tester Posts: 674
    500 Likes 500 Comments 25 Answers 100 Agrees
    ✭✭✭✭✭
    edited August 14, 2019 #7
    I'm seriously thinking of segmenting my Roku's, Receivers, BluRay player & Wii into the guest SSID just so they don't get to see the main network.
    People say nothing is impossible, but I do nothing every day.
    kltaylorVioletChepil
  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    Joe said:
    If you have any VoIP services, make sure you enable any firewalls to block port 5060 from anything other than your known VoIP provider. I spotted some git from Russia trying to hack my Asterisk PBX.
    First of all ... you said 'git' =)  I haven't heard that in, ahem ... decades. =)
    That's good advice to lock down the SIP port to only receive from a specific IP.  Should be able to obtain that information from the provider easily enough.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
    VioletChepil
  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    Pooh said:
    I'm seriously thinking of segmenting my Roku's, Receivers, BluRay player & Wii into the guest SSID just so they don't get to see the main network.
    Unless there is a reason for an IoT device to access the LAN, more specifically for access to shared storage, I would absolutely do that.  If your router allows you to add more than one SSID, create one that only has access to the inter-webs, but still needs a strong password to join.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
    VioletChepil
  • Pooh
    Pooh Member, Beta Tester Posts: 674
    500 Likes 500 Comments 25 Answers 100 Agrees
    ✭✭✭✭✭
    kltaylor said:
    First of all ... you said 'git' =)  I haven't heard that in, ahem ... decades. =)
    I've been training the folks here in Cincinnati, Ohio to speak 'proper' English. So much easier now I can say 'owt', 'nowt', 'butchers', 'dog n bone', 'muppet', 'knackered' and some of the more colourful English colloquialisms in regular conversations.

    git however is in regular parlance after Linux Torvalds named his source code control system 'git'. Telling folk the reason behind the name is still fun, though :)
    People say nothing is impossible, but I do nothing every day.
    VioletChepil
  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    Pooh said:
    kltaylor said:
    First of all ... you said 'git' =)  I haven't heard that in, ahem ... decades. =)
    I've been training the folks here in Cincinnati, Ohio to speak 'proper' English. So much easier now I can say 'owt', 'nowt', 'butchers', 'dog n bone', 'muppet', 'knackered' and some of the more colourful English colloquialisms in regular conversations.

    git however is in regular parlance after Linux Torvalds named his source code control system 'git'. Telling folk the reason behind the name is still fun, though :)
    Heh... Muppet. =)
    Git was a term that was used back when I was growing up, could easily start fights over being called it, too. 
    Ahhh ... memories. =)
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
    VioletChepil
  • TheCustomCave
    TheCustomCave Member, Beta Tester Posts: 48
    25 Likes 10 Comments First Anniversary 5 Agrees
    ✭✭✭
    It's a bit of a complex topic really as you've got to account for myriad vectors for attack, or intrusion, or phishing, or simply accidentally bringing some malware into the network.

    I am fortunate enough to run on enterprise grade hardware, using Meraki devices for my security appliance and then a combination of Ruckus and Meraki for my WiFi access points too.

    Passwords are an interesting one. Ideally points of entropy are the first port of call - a longer password with more characters is more secure than a short one with mixed letters, numbers, symbols etc.
    Ideally using the browsers's secure password generator (if available), or another password manager to generate and store secure passwords which are unique to each website/service you use.

    Locking down anything you can within your router's configuration, close ports you don't need to have open, geoblocking IP address ranges outside of any you don't personally deal with. Those will get you a nice start.

    Have decent antivirus installed (not Norton/Symantec), make sure it's running real time protection, make sure it's updated at least every day.
    If you can, lock down your user account so you don't have Admin access by default. Enable UAC, set it at the highest level you can be bothered with.

    Always have at least 3 copies of all important data, in at least 2 physical locations.

    Ad-blocking is another one which is useful, it reduces the chances of pulling malware onto your machine. I use Pi-hole on my network, but there's also Ghostery and uBlock Origin for most browsers on Windows.

    I realise this is getting more into general safety here, but it all goes to help keep your network safe.
    There's plenty of other information to add but I'll give you all a rest for now.
    VioletChepil
  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    In regards to protecting your network, or in this case on the client level, I just came across this little tidbit:
    While I mainly use Firefox as my default browser, and DNS over HTTPS is a toggle in the Options -> Network Settings portion, I've also installed this on my work machine and laptop so far.
    Curious to hear some input on it, so far it's working as intended.

    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
    VioletChepil
  • Lee_Bo
    Lee_Bo Member Posts: 272
    100 Comments 100 Likes Second Anniversary 5 Answers
    ✭✭✭✭
    kltaylor said:
    Joe said:
    If you have any VoIP services, make sure you enable any firewalls to block port 5060 from anything other than your known VoIP provider. I spotted some git from Russia trying to hack my Asterisk PBX.
    First of all ... you said 'git' =)  I haven't heard that in, ahem ... decades. =)
    That's good advice to lock down the SIP port to only receive from a specific IP.  Should be able to obtain that information from the provider easily enough.

    kltaylor said:
    First of all ... you said 'git' =)  I haven't heard that in, ahem ... decades. =)
    That's good advice to lock down the SIP port to only receive from a specific IP.  Should be able to obtain that information from the provider easily enough.

    kltaylorVioletChepil
  • atomicboy
    atomicboy Member, Beta Tester Posts: 67
    Second Anniversary 25 Likes 10 Comments First Answer
    ✭✭✭
    I run a Firewall appliance using Untangle in bridge mode behind my router on the Lan side. Typically a Firewall appliance is installed at the “edge” of a network however I run a set of VPN tunnels from my multi WAN router to an AWS EC2 instance that for simplicity, I do not want to screw around with. I did try running PF Sense. After spending much time and effort, I could not get it to run in bridge mode where as Untangle facilitates this as part of the initial install. The default Untangle settings are very good out of the box. My appliance is a “cheap” fan-less Qotom with an I5 processor which I upgraded the SSD on. The Untangle forum is very user friendly for those less knowledgeable.
    The Fixed Wireless Router/Modems that my ISP provides do not expose the firewall so I have no idea how good they are and lots get them and are caught by my Untangle Firewall which uses a dynamic list from a threat service. I do not use my main commercial router’s firewall as I am not proficient enough to build the rule set required.
    I also use scanning programs and VPN programs. 
    So my biggest threat is in my actions in how I use the internet. 
    VioletChepil